Revisit to the Bai-Galbraith signature scheme

TL;DR

This work revisits the Bai-Galbraith (BG) lattice-based signature scheme, aiming to reduce signature size by omitting the $z_2$ component and proving knowledge of the secret vector $s$ alone, with the small error $e$ implicitly constrained in verification. It contrasts BG with Lyubashevsky's FIat-Shamir SDKs and emphasizes the use of standard $LWE$ over Ring-$LWE$, which affords greater parameter flexibility in $(n,m)$ at the cost of larger public keys. The construction relies on a Fiat-Shamir paradigm, with signing via $z=y+c s_1$ and rejection sampling to prevent leakage of the secret key, and verification ensuring $High(Az-c t)=High(Ay)$ and $c=H(m,High(Az-c t))$. Overall, BG demonstrates practical, provably secure lattice-based signatures with reduced signature size, highlighting trade-offs between key size and signature efficiency suitable for post-quantum cryptography in bandwidth-constrained environments.

Abstract

Dilithium is one of the NIST approved lattice-based signature schemes. In this short note we describe the Bai-Galbraith signature scheme proposed in BG14, which differs to Dilithium, due to the fact that there is no public key compression. This lattice-based signature scheme is based on Learning with Errors (LWE).